Author Archives: ragnar0k

Are your devices secure? Firmware hacking

0
Filed under Arduino, Security

How to hack your firmware – this might seem like a complex topic. In some cases it is, but nowadays, this is not always the case.
Some unix skills and just a bit of social engineering might be enough to make your company or home insecure.
There are several ways through which a company or a person might have received a compromised device:

  • A company receives a demo hardware from the company in the mail, why not trying it?
  • The guy in the shop decided he wants to monitor his customers, how about quickly removing the seal and compromise the firmware?
  • The website sending firmware updates has been compromised (either from your side, for example through dns poisoning) or on their page
  • The firmware was downloaded from a strange internet source

There might be a few reasons more, but let’s get hands on and see how easy firmware hacking could be!I am trying this on my Arduino Yun, as it is using OpenWRT + squashfs. Squashfs is nowadays very used (see for example dd-wrt compatible devices).What we need is:

  • The firmware (in our case the Yun firmware is openwrt-ar71xx-generic-yun-16M-squashfs-sysupgrade.bin)
  • A Linux box. For this blog entry I will use Debian, but I guess the same will work under ubuntu and other debian based distros

It is worth noting at this point that I fully support Arduino’s choice of using an open solution such as OpenWRT, and squashfs is not the problem. Hacking firmwares is still possible even using proprietary formats, as long as the source of the firmware (or person handling the device before you) is not trusted.

Let’s first install the right tools. As root, run:
aptitude install squashfs-tools

The tools we need: unsquashfs and mksquashfs.Now, let’s get some information on the file:
unsquashfs -s openwrt-ar71xx-generic-yun-16M-squashfs-sysupgrade.bin

This should give an output such as below:
Found a valid SQUASHFS 4:0 superblock on openwrt-ar71xx-generic-yun-16M-squashfs-sysupgrade.bin.
Creation or last append time Sun Nov  9 01:25:00 2014
Filesystem size 7799.69 Kbytes (7.62 Mbytes)
Compression xz
Block size 131072
Filesystem is exportable via NFS
Inodes are compressed
Data is compressed
Fragments are compressed
Always_use_fragments option is not specified
Xattrs are compressed
Duplicates are removed
Number of fragments 130
Number of inodes 2083
Number of ids 1

In particular “Compression xz” will be useful to us when rebuilding the package.
Let’s now decompress the filesystem in a working directory:
unsquashfs openwrt-ar71xx-generic-yun-16M-squashfs-sysupgrade.bin

A new directory should now be present: squashfs-root. It will contain all the files of the router. The purpose of this article is of course only to demonstrate how we could compromise a firmware so will only create a simple example. Let’s create something that, at boot, will write under /tmp a file

First we go in /etc/init.d and create the script, which we will call “hackTest”.
The file will contain:
echo “This might be a virus :)” > /tmp/virusTest

Let’s make it executable now
chmod +x hackTest

…And link it to the correct start sequence in /etc/rc.d. In my case, I decided to set it to S94:
ln -s ../init.d/hackTest S94hackTest

Now all is good to go – let’s pack our squashfs. Go back to the folder containing squashfs-root and create the new firmware:
mksquashfs squashfs-root openwrt-ar71xx-generic-yun-16M-squashfs-sysupgrade.bin -comp xz

Note “-comp xz”, this is the compression that was specified on the file info above.
All is now ready. Update the Arduino, wait for the reboot.

Now, I understand that someone might think: isn’t it easier to just modify the system once booted up?
Well, this is true but on a factory reset things will go back to normal. Also, most of those devices provide a limited set of  read/write directories, so searching for issues if someone gets suspicious is a lot easier.

So what is the solution?
Well, make sure once the firmware is downloaded that the MD5 is correct using a different source to get the md5 strings (for example, your desktop). If your firmware was however modified, chances are it will not upload the firmware or might automatically modify the firmware during the install. This is quite a difficult matter to resolve, and if we are ever going to go back to a mainframe architecture in the future (i.e. Chromebook) this will become an ever bigger issue, and making the firmware proprietary is not the solution (see the various iOS hacks).

Arduino Yun VS Raspberry PI B+

0
Filed under Arduino

Why Arduino Yun VS Raspberry PI B+? It is always good to have a direct comparison I think, and although I believe they cover two different areas (Yun remains solid on its Arduino foundations, while the Raspberry PI wants to be more like a mini-linux desktop)

Specs
I won’t go through the specs in detail, there are plenty of blogs for that. Suffice to say the arduino has basically one RJ45 ethernet port, one USB port, one micro-USB port (for programming and power); it can also connect through WI-FI.
The raspberry PI instead tries a bit harder to be a desktop, with 4 USB ports, one RJ45, one HDMI, headphone jack (with microphone) but no WI-FI. Both have a micro SD card slot. For this test I will use the same card type on both

SDHC card

What makes this test interesting is comparing a 700Mhz ARM platform (RPI) against a 400Mhz MIPS platform (Yun). The latter is slower on paper but OS is much more lightweight…


Size

The Raspberry PI is definitely bigger, which is understandable given the additional ports.

Yun comparison

OS
Arduino uses its standard linux distribution based on OpenWrt, much slimmer than the Raspberry PI Raspbian

The data
So, introduction gone, let’s do a bit of work. Python is present on both machines PI and Yun, but I decided to use perl, as I can also port it well on my e450. Yes, I will add my Sun e450 to the tests – and since I am at it, I will also add my Macbook retina.

First test: dd if=/dev/zero bs=40M count=1; sync

/dev/zero

Second test: dd if=/dev/urandom bs=40M count=1; sync

Third test: calculate md5 of 394748 strings (separately)

Now, what comes out of it other than the E450 is almost getting beaten by small and embedded devices?
Well, the PI is generally faster than the Yun. But I don’t think being very fast was always the goal of the Yun. Yun provides all infrastructure for Arduino separately, but now it can be controlled from a separate linux system. Despite the linux part being “secondary” or a controller, if you wish, of the old arduino interface, it still manages to put up a decent performance. Yun’s linux is very basic in fact; even to use perl I had to upgrade the firmware and install the perl packages.
To conclude, if you would like to have a small PC with ok performance, PI would be for you. If instead you would like an arduino with an external linux controller that could influence certain loops in your system, then Yun is for you, just don’t expect a full-fledged linux system – it is just not what Yun was made for.

Sun e450 refresh guide [Part 1]

0
Filed under Systems

So it’s been a while as I have been on holiday – I am planning lots of things, and hopefully soon I will be able to dedicate some more time to security as I will dive more in security research (have lots of ideas on tools to write, maybe a re-code of annfid)
Now, amongst the various things, before the holidays I bought two Sun e450 (or enterprise 450) and thought about writing a proper Sun e450 refresh guide. I know what you are thinking – “your smartphone is more powerful”, but well, why would people buy commodores then?
Those things were quite pricey 10 years ago, but now I bought one with hard drives, all four CPUS for less than 100$ – so I bet then I am not the only one buying them.
This will be part one, I’ll write something more later with more screenshots.

So, here are a few tips:

NVRAM
This is the first issue you will find. NVRAM is probably dead!
You can say this from two things:
– The host id is something like ff:ff:ff:ff:ff (might have some ‘e’s or something else – it doesn’t matter)
– You type setenv and after a reboot it doesn’t pick it up.

Now, you will find online some guides to DIY fix the NVRAM; I honestly don’t think the site is a fake, but I can say the NVRAM mod did not work for me

nvram

There is no specific differences amongst NVRAMs that I know of, so I can’t see why a 450 would not take a modified NVRAM. In any case, there is a shop on ebay that can sell NVRAM for a decent amount of money; might be worth taking a look there as it worked for me straight away and could save quite some time (soldering the cables on the small NVRAM power pins is quite a challenge)!

If you are wondering where the NVRAM is, it is that PIC on top of the PCI slots with a yellow sticker/stripe. It is on top of a socket that is very easy to pull from the sides, I’ll put a screenshot when I have some time.

Maintenance light blinking
This is not a serious issue. The sun e450 owners manual (which is seriously worth reading if you are just getting started) suggests that unless there is a steady light, it is not an issue. Most times, by default, the system will enter in OBDiag (Open Boot Diagnostics), which can last for quite a while. In my case, it can take up to 10 minutes for the machine to start!

Default net boot
If your machine has been blinking until now, it will probably also boot the diagnostic device. Usually, the default boot device is set in the variable ‘boot-device’, you might want to put cdrom or disk there. But if the device boots after diagnostics, it will use the ‘diag-device’ variable. Just do a setenv diag-device disk and it will boot from disk. If you are stuck on the net boot, just press Stop + A to get to the Ok prompt.

Oracle being Oracle
Before you start you might want to know this: as I write, to get patches from Oracle you need to be approved as a client, so forget fixes (well, unless you are a company with a contract of course). Also starting from Solaris 11 our beloved Sparc II is no longer supported. Solaris 10 is the best we can get (which is not too bad actually); maybe you might want to install a Debian there or remove the hardware and use it as a funny PC case.

End of part 1

By the way, for cold winters, E450s are great heaters!

 

Arduino Pulsesensor review (with Arduino micro)

0
Filed under Uncategorized

So, in the previous post I said I am interested in hacking the human being…
Now, biohacking is not a new topic, there are plenty of websites and blogs on this, and I will surely cover the topic in more detail later.

Amongst the various topics (galvanic response, brainwave sensors and so on…) I think one good indicator is heartbeats. Heartbeats can increase or decrease under stress, so can be an excellent feedback mechanism. Fortunately, the company pulsesensor.com offers a little arduino pulse sensor exactly for this.
The sensor will use light reflection to track changes in our skin; those changes can be used to track the heartbeat (a similar mechanism is also used to track blood oxygenation).

pulsesensor

pulsesensor

The website claims this is a plug and play sensor for arduino… Not quite, I found (though the device is still quite impressive).

The sensor is quite small and fits well under the index finger – here it is next to the arduino micro I used for testing:

Pulsesensor + Arduino Micro

Pulsesensor + Arduino Micro

So, let’s plug it on our breadboard with arduino: pink cable on A0 (analog port), red on V3 and black on ground.

Arduino Pins

Arduino Pins

It is important first to isolate well the sensor, a plastic sticker is given to prevent moisture from interfering (should be applied on the “heart logo” part) and some insulation is due also at the bottom. Once this is done, let’s move to the code.

The website here is a bit confusing. The tutorial points to the version 1.1 of the code, which is not compatible with the latest amped version. I suggest to download the 1.2 code before anything from their code page.

At this point some customization is needed, as the code is written by default using an Arduino uno, whilst here I will be using an Arduino micro. Make sure both the interrupt.ino and PulseSensorAmped_Arduino_1dot2 are on the same arduino project (drag and drop the missing file) and move to interrupt.ino.
The first part to change (as noted on their tutorial instructions) is the interruptSetup part. Here are my entries for the arduino Micro:

The default code is pre-compiled for the arduino uno, hence the default values will not work. The second value to change is ISR(TIMER2_COMPA_vect), which on arduino micro is ISR(TIMER0_COMPA_vect)

Code can now be uploaded.
The second part now is for processing data. If you are not familiar with processing, just download it from their website and run the code downloaded from the pulsemonitor page.
Make sure the serial is correct there. Although comments say “get the arduino”, the tool will simply parse the first com port:

Fortunately this will also print the list of serials on the console; in my case I had COM1 and COM3, so my correct entry is the second:

Now all is set, let’s fire up the processing tool clicking on play…

Pulsesensor processing

Pulsesensor processing

And it works!
Almost.

The heartbeats are way too high – I roughly think they are twice as many, so dividing the output by two will do until I have some more time; not sure if this is related to the arduino timer or the processing tool.

So, overall, this wasn’t exactly easy to setup, it is not very plug and play, but it really gets the heartbeats accurately (with the default code, the light on the arduino will blink on each heart beat), so will definitely investigate further…

Google XSS game

0
Filed under Security

Well, this has been covered widely but can’t stop from writing about it in my blog, as I just had some time to play with it:
Google XSS game
It actually brought me back to the time when I had fun with text only games (good old MUDs!) :)

Now, if you haven’t tried it, I strongly suggest to give it a go – the aim is to make an alert() pop up in different scenarios.
I have to admit, I seriously struggled with #4 (like, hours), but it was well worth it. And reading the tips on the site is not cheating, they are just useful enough.

For #6, feel free to use mine (fabytes.com/ggxss.js – won’t spoil with details, just make sure certificate is ok on your machine before you use it) :)
And yes, it is safe I just put alert() in it!

GoogleXSS

Why Facebook experiment doesn’t surprise me

1
Filed under Generic
Tagged as

I don’t generally express opinions, this is not the scope of my blog. But I have always been fascinated as social engineering was always seen as part of the “hacking” process. First hackers used social engineering quite a lot; anyone found of security read the story of Kevin Mitnik when young? A lot of his work involved social engineering, rather than pure hacking. And how not to mention the controversial Stanford experiment?

Many similar stories I am sure can be told and I won’t go through them here, but human manipulation is an extremely fascinating topic (though spooky): hacking the human being. 

Now, the discussion is around the latest research made by Facebook on how emotions can be ‘propagated’ and Facebook, by filtering negative emotions (friends posts), can manipulate the mood of the readers.

Why could this worry some?

Facebook is perceived as some kind of big brother (not going there, many sites expand on the topic), and this kind of manipulation is considered ‘evil’. The way I see it, this could be an ingenious way to improve sales.

Mood manipulation has always been used for sales – from the car salesman, to tv adverts – showing an image to the possible buyer that pleases him/her (like, an unlikely grateful kid because the mom used a new washing powder, or the car salesman asking the possible buyer to imagine him/herself driving the new car with all comforts). Putting people in a good mood helps selling in general; making people panic could help selling some other products (say, a pepper spray).

The problem here is that whenever we see an advert, or go and buy a car, we go in “defensive mode” so, we are expecting to be tricked. This time this happened without us being ‘conscious’; but are we sure this is news?

Let’s think now about something very common in Hollywood: product placement (i.e. when the cool, main character opens the fridge and drinks a fresh cola). Isn’t this the same principle?

As TV viewers decline, this is where the big bucks are, and I see Facebook research as just the next, logical step to product placement. After all, for the new generations, Facebook and youtube are the new TV, only this time product placement can be more emotional, personalised – hence more effective. 

So, is avoiding Facebook the answer? This is up to the reader.

Facebook will just have more ‘manipulation’ power, as the filtered information will come from our friends; but thinking that the problem is and will be limited to Facebook would be naive. Cookies and IP addresses are continuously collected, and our information is gathered online regardless of Facebook. All in all, it is important for the user to limit the shared information and remember that internet as a whole is mined by advertising. So, next time we want to hear an unbiased opinion, it might be best to just ring our friend, and just expect, whenever we switch on a monitor or a tv, to be bombarded by ads…

Protonmail security review

0
Filed under Security

Note: Protonmail is still in beta, so things might change

Protonmail promises to deliver security to the mail world, accessible without any kind of monitoring from their side. As I write, their project on indiegogo.com has 27 days to go and already reached 128% of the goal.
So, after all the media coverage received by Protonmail, is it really going to be the next alternative to gmail?
But most importantly, is it as secure as it is advertised?
Let’s look into some of its features…

MailPage

 

The interface is very simple, no fuss. Gladly, no advertising so far based on “anonymous data” collected from our mail context. That is a good start I think.
As promised, the javascript side is not compressed, leaving a bit of transparency to the user, but I’ll get to it in a bit…

CodeJS
The interface to compose mails is also very simple; would be comparable to any standard webmail client, if it wasn’t for the encryption features on the right:

SendMail
We can encrypt the mail and give it an expiration. I am not quite sure why would an email expire when saving the contents for offline reading would be very easy, but let’s move on…

Debugging a little bit, seems clear that we use our public key client side to encrypt our mail:

So, the base encryption is AES256.

I believe arguments are then built within #totalpackage and sent (where the pgp part is added for *@protonmail.ch emails):

Then the draft is created:

This is good news – they are using the openpgp.js library to encrypt the messages, so it really happens all on the client side. Ok, but actually, this can be done using thunderbird too or most mail clients. That said, having it javascript based will give me the opportunity to have my pgp data always with me, even on someone else’s device.

Anyway, I clicked in the beginning to send the document encrypted externally. It seems to me that this part:

is responsible for encrypting outbound messages. It looks to me this will encrypt only the message with an hashed AES256 pass (see encryptMessage function in the code above). Keep this in mind, we will get into it in a bit.

We then receive the email from protonmail. Obviously no receiver PK is checked since we don’t know it (and I can’t find a way to add them)

mail

The question at this point is…

Are external mails kept just encrypted using a sha256 of our password using AES256?
It might seem like an OK solution now, but I bet in 5 years time hacking a sha256 won’t take so long. Even now with supercomputers won’t take long to break this SHA256. I personally don’t think at this stage protonmail offers an adequately secure external email.

In addition to that, answering to external emails now is impossible, but this might change.

Now, let’s forget about the AES256 scenario for a while. What are the other issues?
Well, there are no signature and no certificate authorities here, so anybody with access to the mail and the password (let’s assume someone is sniffing chats + mails) can actually get the data.
Ultimately, not using public keys, will lead to an additional exchange of keys, which in turn leads to a less secure solution.

All in all, this is a well thought system, though I think little privacy is offered with externally encrypted emails (which – in theory – can be decrypted by the server owners), and even our local emails might not stand the test of times (also, how scalable is it? Will we be able in the future to change algorithms without rebuilding the whole inbox?)

Never the less, my support goes to the guys, it is a great step forward to what we had before and even though there is room for improvement (and well, it is always possible my analysis has some flaws so welcome to comment) this I think is one way to make cryptography really accessible to anyone.

…Just one last heads-up. There are some pretty heavy limitations (in particular if you are used to Gmail space):
Screenshot - 21.06.2014 - 02:10:25

Neural networks: anger!

0
Filed under Neural networks

I really love neural networks – they can do really everything, and I am convinced they will be more and more part of our future; from big data to site suggestions, I can see them trying to catch up…

But I can’t help but being annoyed sometimes when working with nets. I managed to write some time ago Annfid using entirely nets (Encog), which I think is great for forensic investigations, but then sometimes you might get stuck on little things, and that is where the pain starts.

So, I wanted to write a little article here on how to get going with neural networks, and here the disappointment comes. I fed the nets with some data like:

1 + 1 = -4

2 + 2 = -2

3 + 3 = 0

4 + 4 = 2

5 + 5 = 4

on 6 it becomes spooky, but here is more or less the baseline: all numbers are actually n = n – 3. This means that 3 = 0, and the results turn out normal. Strangely enough, neural networks could not resolve the simple pattern! Now, I have to admit for this code I used a new version of encog, but never the less, the net gets stuck during the training.
I write the code below, in case someone reads and might have some ideas…

By the way… new RequiredImprovementStrategy() is really a great idea (resets the net if there is no improvement >1% after the specified number of cycles)!

EDIT
After this post I wrote on the encog forum. The project owner (Jeff Heaton, he actually answers on the forum!) pointed out that activation sigmoid requires an input between 0 and 1.
So, here is the corrected code, where 1 is 0.1 and 9 is 0.9, results are much better (sorry, wrote it in C# this time)!

Plaid CTF

0
Filed under Generic, Security

Plaid hack catch the flag game – wanted to play a little bit before the weekend but seems that people would rather DDOS it.. I wonder why there must always be someone spoiling the game…Or is it a way to gain some time?

Bitcoin mining: how profitable?

0
Filed under Generic

Now that we have gone through the theory, it is time to talk money and roll up our sleeves.
(you can read part1 if you need to refresh the basis!)

So, how profitable is mining?
Here the bad news start.
Remember in the previous article the difficulty rating? Initially a CPU was sufficient. It was OK to just use the CPU for some mining. But as we know, generic processors (i.e. CISC) are not exactly the fastest around, although they are good for multi-purpose instructions.

Then people started to use GPUs. GPU can execute routine jobs much more easily as that is all they were build for: execute instructions. But again, GPUs were not really designed to process bitcoin blocks.
But the era of GPU is now closing to an end as ASIC (application specific integrated circuit) – these have been designed for the specific purpose of processing bitcoin blocks.
Now, while everybody at home has a CPU or a GPU, ASIC hardware is basically useless for anything else other than mining bitcoins. And while with a good GPU we might have got close to 500MegaHash/second, with a little USB ASIC we could easily get 2.5 GHash (like my little redfury).

And here we can start doing a bit of maths. Given I was curious to test ASICs, I bought the redfury sticks, which cost around 100$/120$ each



Now, remember the difficulty rating? While I bought two of those, someone might have bought a whole lot – creating huge arrays with an investment of over 1000$. Newer ASICS are coming out (i.e. ice fury) – some even have dedicated ASIC servers.
In the meantime, difficulty goes up.

Now I have been mining since one month – at 5GH/s I managed to get around 0.02, which makes roughly 8.5$.


Funny thing is, many “pool” services (more about this later), will not pay under a certain threshold (in the case of eclipseMC that I am using, is 0.2)

At this rate (so, without difficulty increase), to make up the cost of the sticks, it will take me two years; without counting electricity cost. Of course though, if I was to invest 3000$ in a specified machine, I would probably be able to make money much faster and probably pay for the investment much faster.

But is it really worth it? This is what I think:

  • Assuming we can get 4000$ in mined bitcoin, is it really a sound investment? Bitcoins will need to be sold or re-used, but the virtual shops accepting bitcoins are just a bunch, while the 3000$ of investment were very real…
  • What if an exploit is found that will invalidate the bitcoins in the meantime? What will happen of the 4000$? Though I guess there is a risk of each investment but…
  • What happen if a new ASIC with 4000GH/s is found in the meantime, that increases the difficulty so much to make any effort with the current hardware pointless?
  • What happens if bitcoins devaluate considerably?

Again, risks are around the corner everywhere, but in this case I would really consider these factors before investing seriously (because this is the only way to make a return) – it might be less risky to invest in stock market!
As far as I am concerned, I can always say that I am also fascinated by how the redfury work, maybe with some PCAP I might be able to decrypt hashed passwords? Looks quite complicated but you never know, time will tell…

What are the alternatives?

Litecoin are a good alternative right now and as I write this article ASIC hardware is a fairly new thing. But is it worth investing good money in litecoin when Bitcoin already exists?

Get started!

This tutorial is for linux box… But should be easy for windows as well
The first thing to do, is finding a mining pool. Mining alone is not suggested as awards are given on block solved, and solving a block alone with a mere 5 GH/s is nearly impossible. A list of mining pools can be found here; though I found myself well with Eclipse mining consortium (which will not pay below 0.02bc). To get paid we need a wallet – coinbase is a good place to start. Desktop software without services can also do this but it will be necessary to download the block-chain… Can take a loooong time. Coinbase will give a wallet address fast and with no fuss. The wallet can be configured in the mining pool.

Create a new worker and password, these will be your username and password for the miner.

The next step is to configure the mining software. For ASIC hardware (and CPUs), cgminer is the best solution. Addresses to connect can be found here for eclipse MC, being myself in europe, I will use stratum+tcp://eu.eclipsemc.com:3333.
Under manage worker, it will be possible to create a new worker, and set the password. The worker can then be specified when cgminer starts:

Login

Fingers crossed, you should see the workers green, and the hashes flowing:

Conclusions
Mining was not made to be profitable. But Bitcoins have a huge potential, and value might still go up. If you decide this is something you are interesting in investing, give it a go, but it won’t be cheap!
One thing I found nice is that, given that I always leave my PC switched on, I can make good use of it to make a few pennies – maybe in three years I will have paid off my red furies and might be able to claim I got myself a beer out of it! :)